redline | 9f502d67a0bf8c88a2569789a6ac21bd3bf80840b5eabcabffb6c493f7ba475e

Analysis

max time kernel
5s
max time network
197s
platform
windows7_x64
resource
win7v20210410
submitted
14-06-2021 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21500B8F26A794E243DB18E50B19604F.exe
Size

4.5MB
MD5

21500b8f26a794e243db18e50b19604f
SHA1

026efe006209bb1b0da8da054f0d3a6c3080eecd
SHA256

9f502d67a0bf8c88a2569789a6ac21bd3bf80840b5eabcabffb6c493f7ba475e
SHA512

9edcf82233c2b60426933c963a2ff733234f415923f47677b795566347e0b7af49ada81f0c060d38b8527b66df9422b131af598ca65a86ef1a4b83c39eea69db

Score

10^/10

redline vidar 706 aspackv2 evasion infostealer persistence stealer trojan upx

Malware Config

Extracted

Family

vidar

Version

39.3

Botnet

706

https://bandakere.tumblr.com

Attributes

profile_id
706

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/1964-189-0x0000000000320000-0x00000000003B7000-memory.dmp	family_vidar
behavioral1/memory/1964-190-0x0000000000400000-0x0000000000C69000-memory.dmp	family_vidar

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000300000001310e-60.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-61.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-62.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-64.dat	aspack_v212_v242
behavioral1/files/0x0005000000013101-65.dat	aspack_v212_v242
behavioral1/files/0x00040000000130fe-68.dat	aspack_v212_v242
behavioral1/files/0x00040000000130fe-67.dat	aspack_v212_v242
behavioral1/files/0x0005000000013101-66.dat	aspack_v212_v242
behavioral1/files/0x0003000000013103-73.dat	aspack_v212_v242
behavioral1/files/0x0003000000013103-74.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-76.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-77.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-78.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-79.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
1196	setup_install.exe
1496	metina_1.exe
1964	metina_3.exe
640	metina_4.exe
1348	metina_5.exe
1100	metina_6.exe
1176	metina_7.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000130fe-164.dat	upx
behavioral1/files/0x00050000000130fe-166.dat	upx
behavioral1/files/0x00050000000130fe-163.dat	upx

Loads dropped DLL 29 IoCs

pid	Process
1208	21500B8F26A794E243DB18E50B19604F.exe
1208	21500B8F26A794E243DB18E50B19604F.exe
1208	21500B8F26A794E243DB18E50B19604F.exe
1196	setup_install.exe
1196	setup_install.exe
1196	setup_install.exe
1196	setup_install.exe
1196	setup_install.exe
1196	setup_install.exe
1196	setup_install.exe
1196	setup_install.exe
1488	cmd.exe
524	cmd.exe
484	cmd.exe
524	cmd.exe
516	cmd.exe
1964	metina_3.exe
1964	metina_3.exe
560	timeout.exe
1496	metina_1.exe
1496	metina_1.exe
288	cmd.exe
1176	metina_7.exe
1176	metina_7.exe
640	metina_4.exe
640	metina_4.exe
1100	metina_6.exe
1100	metina_6.exe
1176	metina_7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	metina_4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
57	ip-api.com
96	ipinfo.io
185	ip-api.com
227	ipinfo.io
100	ipinfo.io
193	ipinfo.io
195	ipinfo.io
224	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2484	860	WerFault.exe	54

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
560	timeout.exe
2564	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2056	taskkill.exe
2268	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2604	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	97	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	109	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	194	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	198	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	226	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	229	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1196	1208	21500B8F26A794E243DB18E50B19604F.exe	26
PID 1208 wrote to memory of 1196	1208	21500B8F26A794E243DB18E50B19604F.exe	26
PID 1208 wrote to memory of 1196	1208	21500B8F26A794E243DB18E50B19604F.exe	26
PID 1208 wrote to memory of 1196	1208	21500B8F26A794E243DB18E50B19604F.exe	26
PID 1208 wrote to memory of 1196	1208	21500B8F26A794E243DB18E50B19604F.exe	26
PID 1208 wrote to memory of 1196	1208	21500B8F26A794E243DB18E50B19604F.exe	26
PID 1208 wrote to memory of 1196	1208	21500B8F26A794E243DB18E50B19604F.exe	26
PID 1196 wrote to memory of 1488	1196	setup_install.exe	29
PID 1196 wrote to memory of 1488	1196	setup_install.exe	29
PID 1196 wrote to memory of 1488	1196	setup_install.exe	29
PID 1196 wrote to memory of 1488	1196	setup_install.exe	29
PID 1196 wrote to memory of 1488	1196	setup_install.exe	29
PID 1196 wrote to memory of 1488	1196	setup_install.exe	29
PID 1196 wrote to memory of 1488	1196	setup_install.exe	29
PID 1196 wrote to memory of 1260	1196	setup_install.exe	31
PID 1196 wrote to memory of 1260	1196	setup_install.exe	31
PID 1196 wrote to memory of 1260	1196	setup_install.exe	31
PID 1196 wrote to memory of 1260	1196	setup_install.exe	31
PID 1196 wrote to memory of 1260	1196	setup_install.exe	31
PID 1196 wrote to memory of 1260	1196	setup_install.exe	31
PID 1196 wrote to memory of 1260	1196	setup_install.exe	31
PID 1196 wrote to memory of 524	1196	setup_install.exe	45
PID 1196 wrote to memory of 524	1196	setup_install.exe	45
PID 1196 wrote to memory of 524	1196	setup_install.exe	45
PID 1196 wrote to memory of 524	1196	setup_install.exe	45
PID 1196 wrote to memory of 524	1196	setup_install.exe	45
PID 1196 wrote to memory of 524	1196	setup_install.exe	45
PID 1196 wrote to memory of 524	1196	setup_install.exe	45
PID 1196 wrote to memory of 484	1196	setup_install.exe	32
PID 1196 wrote to memory of 484	1196	setup_install.exe	32
PID 1196 wrote to memory of 484	1196	setup_install.exe	32
PID 1196 wrote to memory of 484	1196	setup_install.exe	32
PID 1196 wrote to memory of 484	1196	setup_install.exe	32
PID 1196 wrote to memory of 484	1196	setup_install.exe	32
PID 1196 wrote to memory of 484	1196	setup_install.exe	32
PID 1196 wrote to memory of 516	1196	setup_install.exe	44
PID 1196 wrote to memory of 516	1196	setup_install.exe	44
PID 1196 wrote to memory of 516	1196	setup_install.exe	44
PID 1196 wrote to memory of 516	1196	setup_install.exe	44
PID 1196 wrote to memory of 516	1196	setup_install.exe	44
PID 1196 wrote to memory of 516	1196	setup_install.exe	44
PID 1196 wrote to memory of 516	1196	setup_install.exe	44
PID 1488 wrote to memory of 1496	1488	cmd.exe	42
PID 1488 wrote to memory of 1496	1488	cmd.exe	42
PID 1488 wrote to memory of 1496	1488	cmd.exe	42
PID 1488 wrote to memory of 1496	1488	cmd.exe	42
PID 1488 wrote to memory of 1496	1488	cmd.exe	42
PID 1488 wrote to memory of 1496	1488	cmd.exe	42
PID 1488 wrote to memory of 1496	1488	cmd.exe	42
PID 1196 wrote to memory of 560	1196	setup_install.exe	33
PID 1196 wrote to memory of 560	1196	setup_install.exe	33
PID 1196 wrote to memory of 560	1196	setup_install.exe	33
PID 1196 wrote to memory of 560	1196	setup_install.exe	33
PID 1196 wrote to memory of 560	1196	setup_install.exe	33
PID 1196 wrote to memory of 560	1196	setup_install.exe	33
PID 1196 wrote to memory of 560	1196	setup_install.exe	33
PID 1196 wrote to memory of 288	1196	setup_install.exe	41
PID 1196 wrote to memory of 288	1196	setup_install.exe	41
PID 1196 wrote to memory of 288	1196	setup_install.exe	41
PID 1196 wrote to memory of 288	1196	setup_install.exe	41
PID 1196 wrote to memory of 288	1196	setup_install.exe	41
PID 1196 wrote to memory of 288	1196	setup_install.exe	41
PID 1196 wrote to memory of 288	1196	setup_install.exe	41
PID 484 wrote to memory of 640	484	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\21500B8F26A794E243DB18E50B19604F.exe
"C:\Users\Admin\AppData\Local\Temp\21500B8F26A794E243DB18E50B19604F.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\7zS8B4D8BC4\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS8B4D8BC4\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_1.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\7zS8B4D8BC4\metina_1.exe
      metina_1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_2.exe
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_4.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Users\Admin\AppData\Local\Temp\7zS8B4D8BC4\metina_4.exe
      metina_4.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:640
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_6.exe
    3⤵
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\7zS8B4D8BC4\metina_6.exe
      metina_6.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_7.exe
    3⤵
    - Loads dropped DLL
    PID:288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_5.exe
    3⤵
    - Loads dropped DLL
    PID:516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_3.exe
    3⤵
    - Loads dropped DLL
    PID:524

C:\Users\Admin\AppData\Local\Temp\7zS8B4D8BC4\metina_5.exe
metina_5.exe
1⤵
- Executes dropped EXE
PID:1348
- C:\Users\Admin\AppData\Local\Temp\is-AKV80.tmp\metina_5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AKV80.tmp\metina_5.tmp" /SL5="$7012E,189670,105984,C:\Users\Admin\AppData\Local\Temp\7zS8B4D8BC4\metina_5.exe"
  2⤵
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\is-344MA.tmp\(_____(_(_________))235 Smeargle.exe
    "C:\Users\Admin\AppData\Local\Temp\is-344MA.tmp\(_____(_(_________))235 Smeargle.exe" /S /UID=burnerch1
    3⤵
    PID:2304
  - - C:\Program Files\Windows NT\IYKKYPIGCZ\ultramediaburner.exe
      "C:\Program Files\Windows NT\IYKKYPIGCZ\ultramediaburner.exe" /VERYSILENT
      4⤵
      PID:2792
    - - C:\Users\Admin\AppData\Local\Temp\is-PNJFQ.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PNJFQ.tmp\ultramediaburner.tmp" /SL5="$20166,281924,62464,C:\Program Files\Windows NT\IYKKYPIGCZ\ultramediaburner.exe" /VERYSILENT
        5⤵
        
        PID:2840
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        
        PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\53-28dff-3dd-6bd84-014eb7ba9532b\Qixipabolo.exe
      "C:\Users\Admin\AppData\Local\Temp\53-28dff-3dd-6bd84-014eb7ba9532b\Qixipabolo.exe"
      4⤵
      PID:2828
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 368
        5⤵
        
        PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\61-be524-d98-318a0-54e6e949c1150\Cagygushoge.exe
      "C:\Users\Admin\AppData\Local\Temp\61-be524-d98-318a0-54e6e949c1150\Cagygushoge.exe"
      4⤵
      PID:2864
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xo20lnmm.blg\001.exe & exit
        5⤵
        
        PID:2440
      - C:\Users\Admin\AppData\Local\Temp\xo20lnmm.blg\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\xo20lnmm.blg\001.exe
        6⤵
        
        PID:2596
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iif21icg.gdt\JoSetp.exe & exit
        5⤵
        
        PID:2612
      - C:\Users\Admin\AppData\Local\Temp\iif21icg.gdt\JoSetp.exe
        
        C:\Users\Admin\AppData\Local\Temp\iif21icg.gdt\JoSetp.exe
        6⤵
        
        PID:288
        
        C:\Users\Admin\AppData\Roaming\7751300.exe
        
        "C:\Users\Admin\AppData\Roaming\7751300.exe"
        7⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\3432745.exe
        
        "C:\Users\Admin\AppData\Roaming\3432745.exe"
        7⤵
        
        PID:1492
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tag1jeoj.5jr\GcleanerEU.exe /eufive & exit
        5⤵
        
        PID:2528
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ja2j2ywc.vwt\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:2572
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\plwgyjyu.whu\gaoou.exe & exit
        5⤵
        
        PID:2820
      - C:\Users\Admin\AppData\Local\Temp\plwgyjyu.whu\gaoou.exe
        
        C:\Users\Admin\AppData\Local\Temp\plwgyjyu.whu\gaoou.exe
        6⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:2536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ccuhovf4.kto\Setup3310.exe /Verysilent /subid=623 & exit
        5⤵
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\ccuhovf4.kto\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\ccuhovf4.kto\Setup3310.exe /Verysilent /subid=623
        6⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\is-7OP8J.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7OP8J.tmp\Setup3310.tmp" /SL5="$20284,138429,56832,C:\Users\Admin\AppData\Local\Temp\ccuhovf4.kto\Setup3310.exe" /Verysilent /subid=623
        7⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\is-2Q1ND.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2Q1ND.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:2424
        
        C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
        9⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        10⤵
        
        PID:2624
        
        C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
        9⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
        10⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RunWW.exe /f
        11⤵
        Kills process with taskkill
        
        PID:2268
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        11⤵
        Delays execution with timeout.exe
        
        PID:2564
        
        C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
        9⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        10⤵
        
        PID:2312
        
        C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        9⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\is-PDGGU.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PDGGU.tmp\lylal220.tmp" /SL5="$10344,491750,408064,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
        10⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\is-5A1S2.tmp\56FT____________________.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5A1S2.tmp\56FT____________________.exe" /S /UID=lylal220
        11⤵
        
        PID:2676
        
        C:\Program Files\Common Files\NKAUHAHCFB\irecord.exe
        
        "C:\Program Files\Common Files\NKAUHAHCFB\irecord.exe" /VERYSILENT
        12⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\is-EE7T5.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-EE7T5.tmp\irecord.tmp" /SL5="$20310,6139911,56832,C:\Program Files\Common Files\NKAUHAHCFB\irecord.exe" /VERYSILENT
        13⤵
        
        PID:2404
        
        C:\Program Files (x86)\recording\i-record.exe
        
        "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
        14⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\bd-5bcea-c7f-e0e87-35a0026ad441b\Pedaexaehise.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bd-5bcea-c7f-e0e87-35a0026ad441b\Pedaexaehise.exe"
        12⤵
        
        PID:2596
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 356
        13⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\b7-83084-9fa-42496-cad90bef15cd4\Lizhominyhy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b7-83084-9fa-42496-cad90bef15cd4\Lizhominyhy.exe"
        12⤵
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\trufoa0j.tzo\001.exe & exit
        13⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\trufoa0j.tzo\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\trufoa0j.tzo\001.exe
        14⤵
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x33q422i.52d\GcleanerEU.exe /eufive & exit
        13⤵
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wzoebezi.yf0\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hf1ujtxp.atf\gaoou.exe & exit
        13⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\hf1ujtxp.atf\gaoou.exe
        
        C:\Users\Admin\AppData\Local\Temp\hf1ujtxp.atf\gaoou.exe
        14⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dcil1tc2.v1q\Setup3310.exe /Verysilent /subid=623 & exit
        13⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\dcil1tc2.v1q\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\dcil1tc2.v1q\Setup3310.exe /Verysilent /subid=623
        14⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\is-BVR90.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BVR90.tmp\Setup3310.tmp" /SL5="$1042E,138429,56832,C:\Users\Admin\AppData\Local\Temp\dcil1tc2.v1q\Setup3310.exe" /Verysilent /subid=623
        15⤵
        
        PID:3064
        
        C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        9⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\is-MPSG9.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MPSG9.tmp\LabPicV3.tmp" /SL5="$202F4,506086,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
        10⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\is-VB62K.tmp\_____________.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-VB62K.tmp\_____________.exe" /S /UID=lab214
        11⤵
        
        PID:1496
        
        C:\Program Files\Windows Mail\TGIOCANXQU\prolab.exe
        
        "C:\Program Files\Windows Mail\TGIOCANXQU\prolab.exe" /VERYSILENT
        12⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\is-JIB3Q.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JIB3Q.tmp\prolab.tmp" /SL5="$3028E,575243,216576,C:\Program Files\Windows Mail\TGIOCANXQU\prolab.exe" /VERYSILENT
        13⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\52-55931-5d2-982b6-369b62c14f06b\Gelicorujo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\52-55931-5d2-982b6-369b62c14f06b\Gelicorujo.exe"
        12⤵
        
        PID:2136
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 356
        13⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\d5-a1cef-9c5-6499a-1b9fb8e6ba6e8\Kukaquwaeme.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d5-a1cef-9c5-6499a-1b9fb8e6ba6e8\Kukaquwaeme.exe"
        12⤵
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ewm3vff0.rnh\001.exe & exit
        13⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\ewm3vff0.rnh\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\ewm3vff0.rnh\001.exe
        14⤵
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wl5zsbzx.yum\GcleanerEU.exe /eufive & exit
        13⤵
        
        PID:556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\13kgcd1o.glk\installer.exe /qn CAMPAIGN="654" & exit
        13⤵
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uhfz3quc.bos\gaoou.exe & exit
        13⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\uhfz3quc.bos\gaoou.exe
        
        C:\Users\Admin\AppData\Local\Temp\uhfz3quc.bos\gaoou.exe
        14⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        15⤵
        
        PID:300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3qyu5iad.smd\Setup3310.exe /Verysilent /subid=623 & exit
        13⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3qyu5iad.smd\Setup3310.exe
        
        C:\Users\Admin\AppData\Local\Temp\3qyu5iad.smd\Setup3310.exe /Verysilent /subid=623
        14⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\is-6G5RT.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6G5RT.tmp\Setup3310.tmp" /SL5="$40106,138429,56832,C:\Users\Admin\AppData\Local\Temp\3qyu5iad.smd\Setup3310.exe" /Verysilent /subid=623
        15⤵
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cc2rc41n.yv1\google-game.exe & exit
        13⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\cc2rc41n.yv1\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\cc2rc41n.yv1\google-game.exe
        14⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",init
        15⤵
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oyq00wsg.akq\005.exe & exit
        13⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\oyq00wsg.akq\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\oyq00wsg.akq\005.exe
        14⤵
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a4slmo2b.bnd\GcleanerWW.exe /mixone & exit
        13⤵
        
        PID:2180
        
        C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe
        
        "C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"
        9⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\3861291.exe
        
        "C:\Users\Admin\AppData\Roaming\3861291.exe"
        10⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Roaming\3389749.exe
        
        "C:\Users\Admin\AppData\Roaming\3389749.exe"
        10⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\8187546.exe
        
        "C:\Users\Admin\AppData\Roaming\8187546.exe"
        10⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\8187546.exe
        
        "{path}"
        11⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\8187546.exe
        
        "{path}"
        11⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\8187546.exe
        
        "{path}"
        11⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\8187546.exe
        
        "{path}"
        11⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Roaming\8187546.exe
        
        "{path}"
        11⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Roaming\8919304.exe
        
        "C:\Users\Admin\AppData\Roaming\8919304.exe"
        10⤵
        
        PID:2664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mqebsimq.wyi\google-game.exe & exit
        5⤵
        
        PID:3048
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g0oel5cs.0yt\005.exe & exit
        5⤵
        
        PID:2360
      - C:\Users\Admin\AppData\Local\Temp\g0oel5cs.0yt\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\g0oel5cs.0yt\005.exe
        6⤵
        
        PID:2492
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l3kfjksf.unl\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:1560
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jqrg2j5p.1g2\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        
        PID:2824

C:\Users\Admin\AppData\Local\Temp\7zS8B4D8BC4\metina_7.exe
metina_7.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1176
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\BarSetpFile.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\BarSetpFile.exe"
  2⤵
  PID:1692
- - C:\Users\Admin\AppData\Roaming\1024196.exe
    "C:\Users\Admin\AppData\Roaming\1024196.exe"
    3⤵
    PID:1708
- - C:\Users\Admin\AppData\Roaming\6712245.exe
    "C:\Users\Admin\AppData\Roaming\6712245.exe"
    3⤵
    PID:1812
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      PID:2516
- - C:\Users\Admin\AppData\Roaming\6214287.exe
    "C:\Users\Admin\AppData\Roaming\6214287.exe"
    3⤵
    PID:1920
  - - C:\Users\Admin\AppData\Roaming\6214287.exe
      "{path}"
      4⤵
      PID:2056
- - C:\Users\Admin\AppData\Roaming\7251392.exe
    "C:\Users\Admin\AppData\Roaming\7251392.exe"
    3⤵
    PID:860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1736
      4⤵
      Program crash
      PID:2484
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\rUNdlL32.eXe
    "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
    3⤵
    PID:2256
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
    3⤵
    PID:2540

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",init
1⤵
PID:240

C:\Users\Admin\AppData\Local\Temp\7zS8B4D8BC4\metina_3.exe
metina_3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im metina_3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS8B4D8BC4\metina_3.exe" & del C:\ProgramData\*.dll & exit
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im metina_3.exe /f
    3⤵
    - Kills process with taskkill
    PID:2056
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Loads dropped DLL
    - Delays execution with timeout.exe
    PID:560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:328

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
1⤵
- Runs ping.exe
PID:2604

C:\Users\Admin\AppData\Local\Temp\mqebsimq.wyi\google-game.exe
C:\Users\Admin\AppData\Local\Temp\mqebsimq.wyi\google-game.exe
1⤵
PID:2288
- C:\Windows\SysWOW64\rUNdlL32.eXe
  "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",init
  2⤵
  PID:2504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-174-0x0000000002110000-0x0000000002211000-memory.dmp

Filesize
1.0MB

Download
memory/240-175-0x0000000000390000-0x00000000003EC000-memory.dmp

Filesize
368KB

Download
memory/288-275-0x000000001ACF0000-0x000000001ACF2000-memory.dmp

Filesize
8KB

Download
memory/328-264-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/328-263-0x00000000031F0000-0x00000000032F6000-memory.dmp

Filesize
1.0MB

Download
memory/328-186-0x0000000000490000-0x0000000000501000-memory.dmp

Filesize
452KB

Download
memory/860-208-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/860-216-0x0000000000980000-0x00000000009BB000-memory.dmp

Filesize
236KB

Download
memory/860-198-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/860-219-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/860-229-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/868-176-0x0000000000820000-0x000000000086B000-memory.dmp

Filesize
300KB

Download
memory/868-228-0x00000000015A0000-0x0000000001610000-memory.dmp

Filesize
448KB

Download
memory/868-225-0x00000000009A0000-0x00000000009EB000-memory.dmp

Filesize
300KB

Download
memory/868-177-0x0000000000DD0000-0x0000000000E41000-memory.dmp

Filesize
452KB

Download
memory/1196-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1196-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1196-143-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1196-133-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1196-131-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1196-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1196-136-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1196-139-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1196-146-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1196-83-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1196-147-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1196-125-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1208-59-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/1348-179-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1492-283-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1536-288-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1616-185-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1692-162-0x0000000000BA0000-0x0000000000BA2000-memory.dmp

Filesize
8KB

Download
memory/1692-159-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1692-158-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/1692-157-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1692-155-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/1708-226-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/1708-199-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1708-209-0x00000000006B0000-0x00000000006D1000-memory.dmp

Filesize
132KB

Download
memory/1812-223-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1812-197-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1812-207-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1812-212-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/1920-200-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1920-265-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1920-234-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/1920-236-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1964-190-0x0000000000400000-0x0000000000C69000-memory.dmp

Filesize
8.4MB

Download
memory/1964-189-0x0000000000320000-0x00000000003B7000-memory.dmp

Filesize
604KB

Download
memory/2196-290-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/2196-289-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2196-302-0x0000000003980000-0x0000000003981000-memory.dmp

Filesize
4KB

Download
memory/2196-304-0x00000000039A0000-0x00000000039A1000-memory.dmp

Filesize
4KB

Download
memory/2196-301-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/2196-300-0x0000000003960000-0x0000000003961000-memory.dmp

Filesize
4KB

Download
memory/2196-299-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2196-298-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/2196-293-0x0000000003780000-0x00000000037D7000-memory.dmp

Filesize
348KB

Download
memory/2196-292-0x0000000003780000-0x00000000037D7000-memory.dmp

Filesize
348KB

Download
memory/2196-291-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/2196-303-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/2256-220-0x0000000010000000-0x0000000010002000-memory.dmp

Filesize
8KB

Download
memory/2256-222-0x0000000000AA0000-0x0000000000BA1000-memory.dmp

Filesize
1.0MB

Download
memory/2256-224-0x0000000000790000-0x00000000007EC000-memory.dmp

Filesize
368KB

Download
memory/2304-227-0x0000000002260000-0x0000000002262000-memory.dmp

Filesize
8KB

Download
memory/2304-221-0x0000000000350000-0x000000000035F000-memory.dmp

Filesize
60KB

Download
memory/2304-215-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2516-243-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2516-233-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2596-276-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/2596-274-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2792-246-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2828-252-0x0000000000A30000-0x0000000000A32000-memory.dmp

Filesize
8KB

Download
memory/2840-253-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2864-262-0x0000000000BA6000-0x0000000000BC5000-memory.dmp

Filesize
124KB

Download
memory/2864-254-0x0000000000BA0000-0x0000000000BA2000-memory.dmp

Filesize
8KB

Download
memory/2900-282-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2936-257-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download
memory/2936-266-0x0000000000506000-0x0000000000525000-memory.dmp

Filesize
124KB

Download
memory/2936-268-0x0000000000525000-0x0000000000526000-memory.dmp

Filesize
4KB

Download
memory/2996-260-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download